Page MenuHomePhabricator

Authn and authz as a service
Closed, DuplicatePublic

Description

We need to provide Authz/Authn as a service. The primary consumers will be MediaWiki and other standalone services in the Wikimedia infrastructure and third party applications making use of Wikimedia sites.

There's two of major steps here

  1. Finalize T380: RfC: SOA Authentication. This needs to take into account the larger question of "how do we inject services into MediaWiki core in a reusable way?" and "how do we handle legacy hooks in such services?"
  2. Implement services based on RFC - authn first and authz second.

Stuff like OpenID and Captchas are out of scope here. A number of OAuth fixes would be in scope. Improved 2FA could follow very soon after this.

Event Timeline

demon created this task.Dec 19 2014, 1:44 AM
demon raised the priority of this task from to Needs Triage.
demon updated the task description. (Show Details)
demon added projects: MediaWiki-Core-Team, Epic.
demon changed Security from none to None.
demon added a subscriber: demon.
bd808 added a subscriber: bd808.Dec 24 2014, 5:24 PM

I think we should consider issues like T19312: Separate UserLogin from authentication process; create account creation and identification internal API to be in scope for this project. It seems reasonable to me that we will need to refactor/rethink the authn/authz stack inside MediaWiki in order to make it possible to use an external service if that is where the project ends up going.

The notes from the meeting are here on the subject are here: http://etherpad.wikimedia.org/p/SOAAuth

demon removed a subscriber: demon.Aug 19 2015, 3:37 PM